DPC ADDITIONAL ACCREDITATION 
REOUIREMENTS FOR CERTIFICATION 
BODIES 


September 2020 


An Coimisiún um 
Chosaint Sonraí 
Data Protection 
Commission 





= O 


BR W N 


Appendix immi 4 
РЕВЕРС acca nancies aa еее 4 
SOPE a нн Сеен наван a 4 

NORMATIVE REFERENCE. ssessiccatcavccanssGus'ensscascvess'aedensdsapsuensaeseasesasdsasd acdsansauseacsaseQed 4 
TERMSAND DEFINITIONS „аеннан оен анана 5 
GENERAL REQUIREMENTS FOR АССКЕЕОПАПОМ ана 6 

4.1 ШеСагам сот гасоа таео. аьаан en 6 
4.1.1 Legal responsibility ае нанети оннан онаа, 6 
4.1.2 Certification agreement (“CA”) ииииннннннненненненнаннн 6 
41.3 Use of data protection Seals and тагкваиинннненненненнаннн 8 
42 ИМапасетрериеаонс impartiality. ао оа анине 8 
43 ШАШУ апо Пайи вън a оре 8 
44 Non-discriminatory conditions «inne 8 
4.5: CönfidentialiMensnsesssnnennu u n n N N N a 8 
4.6 Publicly available information.........sessesssesessesesssessesesesessesesssesseseseserseseseseseesesese 8 

STRUCTURAL REQUIREMENTS, ARTICLE 43(4) ГРКОРЕК" ASSESSMENT] ......... 9 

5.1 Organisational structure and top тапаретепї........................................... 9 

5.2 Mechanisms for safeguarding рагпашулленненне 9 
RESOURCE REQUIREMENT Заин нинин инин нонни 9 

61 Certification body personnel генинен нден антен идни ннан нан) 9 

6.2. Resources Тогема Шао, с идин неее aetna 10 
PROCESS REQUIREMENTS геннен индин идеен лина аа вень 10 

AL ЗОВЕ о es 10 
1:2; АРриИсСашо Mi wcazadevedabedacsdazanscedacadazedacedacsdazanscedacadavenacedocsdavensaedasadavadbvelosgtuvenanelaeass 11 
7.3 Application ЕСРИ ain eae Saeed Sarasa tc Sac dentate Seareteledaeebaledenntadederndeses 11 
74 е M saprved esetavesecdeeedoroieceleveieselecohenecersieaielveiavgealegeeieninuenirdians 12 
Fé REVIEW mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmrrmammmmmm 13 
KO- Cercano ЧАСТО о en en HS оя 13 
7:7. “Certification documentations tsss Seas ана 13 
7.8 Directory of certified productsS........s.sssssssessssssssesssessesesesesesesesesessesesrsessesesese 14 
749: Surveillante eseese nieee iedee ieiet 14 
7.10 Changes affecting certification „њанд 14 
7.11 Termination, reduction, suspension or withdrawal of certification .... 15 


7.12 КЕСОГА S ен ARA AE 15 


7.13 Complaints and appeals, Article 43(2)а)..ьоневесоннинцонцннцизнонавенавевнонцнаниав 15 

MANAGEMENT SYSTEM REQUIREMENTS нана рейок аноде 16 
8.1 General management system гедиігегпепс .................... „аан 16 
8.2 Management system documentation ..инеоененеоннненеенавивоннввоннвння 16 
8.3 SCONES OT ОВЕШе о ооо ени а иаи е аниа 16 
8:4. “Controle (eCards оне НА ТАНК 16 
Seo: Management REVIEW „алаад онова анана ооа надано ван аде анна раан a a Ei 16 
О ВЕГА en 16 
8:7 Corrective actioNS аа аа нна аана ра Фан ЕА НЕН 16 
8:8 Preventive actions ннан АЕН нА На 16 

FURTHER ADDITIONAL REQUIREMENTS осенние атое 17 
ОД Updating of evaluation Methous. „асеньні онадан авони вына коала 17 
9:27 Иа Ере еа а 17 
93 Responsibilities and competencies...................eeeeeseseseseseseseesssssssssasessesesese 17 
931 Communication between Certification Body and its customers ......... 17 
9.3.2 Documentation of evaluation activities „аанак 17 


Appendix III 


Appendix III provides the DPC's additional accreditation reguirements with 
respect to ISO/IEC 17065/2012 (hereinafter ISO 17065) and in accordance with 
Articles 43(1)(b) and 43(3) GDPR. The points below (aside from section 9) refer to 
ISO 17065 section headings and set out the additional reguirements for the 
relevant ISO 17065 section numbers. 


0 PREFIX 


The Terms of cooperation between the Data Protection Commission (DPC) and 
Irish National Accreditation Board are set out in an agreement (not yet available). 
The agreement sets out roles and responsibilities and operational procedures in 
relation to accreditation for GDPR certification schemes. 


1 SCOPE 


This document contains additional requirements to ISO 17065 for assessing the 
competence, consistent operation and impartiality of GDPR certification bodies. 


The scope of ISO 17065 shall be applied in accordance with the GDPR'. Pursuant 
to Article 42(1), GDPR certification is only applicable to the processing operations 
of controllers and processors. 


The scope of a certification mechanism (for example, certification of cloud 
service processing operations) should be taken into account in the assessment 
by the National Accreditation Body and the DPC during the accreditation process, 
particularly with respect to criteria, expertise and evaluation methodology. 


The broad scope of ISO 17065 covering products, processes and services should 
not lower or override the requirements of the GDPR, e.g. a governance 
mechanism cannot be the only element of a certification mechanism, as the 
certification must include processing of personal data, i.e. the processing 
operations. 


2 NORMATIVE REFERENCE 
The GDPR has precedence over ISO 17065. If in the additional requirements or 


by certification mechanism, reference is made to other ISO standards, they shall 
be interpreted in line with the requirements set out in the GDPR. 


' The guidelines on accreditation and certification provide further information. 





3 TERMS AND DEFINITIONS 


The terms and definitions of the guidelines on accreditation (EDPB 4/2018) and 
certification (EDPB 1/2018) shall apply and have precedence over ISO definitions. 
For ease of reference the main definitions used in this document are listed 
below. 


2018 Act: Irish Data Protection Act 2018 
ISO 17065: ISO/IEC 17065/2012 


Applicant: the organisation that has applied to have their processing operations 
certified. 


Certification: the assessment and impartial, third-party attestation that the 
fulfilment of certification criteria has been demonstrated in respect of a 
controller or processor's processing operations. 


Accreditation: third-party attestation related to the activities of a certification 
body. This is the result of the assessment process for successful certification 
body (as part of the accreditation process). 


Accreditation body: body that performs accreditation. In this document this 
term is taken to mean Irish National Accreditation Board. 


Certification body: third party conformity assessment body operating 
certification schemes. 


Certification criteria: the criteria against which an organisation’s processing 
operations are measured for a given certification scheme. 


Certification scheme: a certification system related to specified products, 
processes and services to which the same specified requirements, specific rules 
and procedures apply. It includes the certification criteria and assessment 
methodology. 


Certification mechanism: an approved certification scheme which is available 
to the applicant. It is a service provided by an accredited certification body based 
on approved criteria and assessment methodology. It is the system by which a 
controller or processor becomes certified. 


Client”: the organisation that has been certified (previously the applicant). 
DPC: Data Protection Commission 


2 Whenever the term “client” is used in this International Standard (ISO/IEC 17065/2012), it applies to 
both the “applicant” and the “client”, unless otherwise specified. 


General Data Protection Regulation (GDPR): Regulation 2016/679/ЕС 


National accreditation body: the sole body in a Member State named in 
accordance with Regulation (EC) No 765/2008 of the European Parliament and 
the Council that performs accreditation with authority derived from the State. In 
Ireland the National Accreditation Body is the Irish National Accreditation Board. 


Target of evaluation: In the case of GDPR certification this will be the relevant 
processing operations that the controller or processor is applying to have 
evaluated and certified. 


4 GENERAL REOUIREMENTS FOR ACCREDITATION 


4.1 Legal and contractual matters 

4.1.1 Legal responsibility 

A certification body shall be able to demonstrate (at all times) to the National 
accreditation body that they have up to date procedures that demonstrate 
compliance with the legal responsibilities set out in the terms of accreditation, 
including the additional reguirements in respect of the application of the GDPR. 


The certification body shall be able to demonstrate that its procedures and 
measures specifically for controlling and handling of client organisation's 
personal data as part of the certification process are compliant with the GDPR 
and the Irish Data Protection Act 2018. 


The certification body shall provide evidence of compliance as required during 
the accreditation process. 


This shall include the certification body confirming to the accreditation body that 
they are not the subject of any DPC investigation or regulatory action in relation 
to the subject matter of the target of evaluation which may mean they do not 
meet this requirement and therefore might prevent their accreditation. 


The certification body shall inform the accreditation body immediately of 
relevant infringements of GDPR or the 2018 Act that may affect its accreditation. 


Prior to issuing or renewing a certification, the certification body shall be 
required to inform the DPC pursuant to Article 43(1). 


4.1.2 Certification agreement (“CA”) 
The certification body shall demonstrate in addition to the requirements of ISO 
17065 that its certification agreements: 


require the client to always comply with both the general certification 
requirements within the meaning of 4.1.2.2 (a) ISO 17065 and the criteria 
approved by the DPC as per Article 43(2)(b) or the EDPB in accordance 
with Article 42(5); 


require the client to allow full transparency to the DPC with respect to the 
certification procedure including contractually confidential materials 
whether contractual or otherwise, related to data protection compliance 
pursuant to Articles 42(7) and 58(1)(с); 


do not reduce the responsibility of the client to comply, as applicable, 
with the GDPR and is without prejudice to the tasks and powers of the 
DPC line with Article 42(5); 


require the client to provide the certification body with all information 
and access to its processing activities which are necessary to conduct the 
certification procedure pursuant to Article 42(6); 


require the client to comply with applicable deadlines and procedures. 
The certification agreement must stipulate that deadlines and 
procedures resulting, for example, from the certification programme or 
other regulations must be observed and adhered to; 


with respect to ISO 17065/212 section 4.1.2.2 (c)(1) set out the rules of 
validity, renewal, and withdrawal pursuant to Articles 42(7) and 43(4) 
including rules setting appropriate intervals for re-evaluation or review 
(regularity) in line with Article 42(7) and section 7.9 of these additional 
requirements. 


require the client to allow the certification body to disclose to the DPC all 
information necessary for granting certification pursuant to Articles 42(8) 
and 43(5); 


include rules on the necessary precautions for the investigation of 
complaints within the meaning of 4.1.2.2 (c)(2), additionally, lit. j, shall also 
contain explicit statements on the structure and the procedure for 
complaint management in accordance with Article 43(2)(d). 


require in addition to the minimum requirements referred to in 4.1.2.2 
ISO 17065, if the consequences of withdrawal or suspension of 
accreditation for the certification body impact on the client, that the 
consequences for the customer are addressed. 


require the client to inform the certification body in the event of relevant 
infringements of GDPR or the 2018 Act that may affect its certification, as 
soon as they become aware of such an infringement. 


11, includes binding evaluation methods with respect to the ( target of 
evaluation). 


4.1.3 Use of data protection seals and marks 
Certificates, seals and marks shall only be used in compliance with Article 42 and 
43 and the guidelines on accreditation and certification. 


42 Management of impartiality 

The accreditation body shall ensure that in addition to the reguirements set out 
in ISO 17065, in particular 3.13 and 4.2, and the reguirements of 765/2008/ЕС, 
that the certification body: 


1. complies with the additional reguirements of the DPC (pursuant to Article 
43(1)(b)) as set out in this document. 

2. in line with Article 43(2)(a) provide separate evidence of its independence. 
This applies in particular to evidence concerning the financing of the 
certification body in so far as it concerns the assurance of impartiality; 

3. has demonstrated its tasks and obligations do not lead to a conflict of 
interest pursuant to Article 43(2)(e); 

4. has no relevant connection with the customer it assesses. 


43 Liability and financing 

In addition to the requirement ISO 17065 the accreditation body shall ensure 
that the certification body has appropriate measures (e.g. insurance or reserves) 
to cover its liabilities in the geographical regions in which it operates. 


44 Non-discriminatory conditions 
Requirements of ISO 17065 shall apply. 


4.5 Confidentiality 
Requirements of ISO 17065 shall apply. 


4.6 Publicly available information 

In addition to the requirements of ISO 17065, the accreditation body shall, at a 

minimum, require from the certification body that: 

1. all versions (current and previous) of the approved criteria used within 
the meaning of Article 42(5) are published and easily publicly available as 
well as all certification procedures, generally stating the respective period 
of validity; including where applicable the criteria has been approved by 
the EDPB 

2. information about complaints handling procedures and appeals are made 
public pursuant to Article 43(2)(d). 


5 STRUCTURAL REQUIREMENTS, ARTICLE 43(4) [“PROPER” ASSESSMENT] 


5.1 Organisational structure and тор management 

In addition to the reguirements in 5.1.3 of ISO 17065, the accreditation body 
shall reguire the certification body to appoint a person with overall authority and 
responsibility for overseeing data protection certification evaluation, decisions 
and supervision. 


52 Mechanisms for safeguarding impartiality 
Requirements of ISO 17065 shall apply. 


6 RESOURCE REQUIREMENTS 


6.1 Certification body personnel 

It is anticipated that because of the GDPR articles specifying the elements of data 
protection certification that both legal and technical personnel will be required 
to be involved in assessment or evaluation and decision making undertaken by 
certification bodies, in line with the certification scheme and depending on the 
target of evaluation or processing operation that is to be certified. 


The accreditation body shall, in addition to the requirement in section 6 of 
ISO/IEC 17065/2012, ensure for each certification body that its personnel: 


1; has demonstrated appropriate and ongoing expertise (knowledge and 
experience) with regard to data protection pursuant to Article 43(1) and 
related to the subject matter of the certification; 

2. has independence and ongoing expertise with regard to the subject 
matter of the certification pursuant to Article 43(2)(a) and does not have a 
conflict of interest pursuant to Article 43(2)(e); 


3. undertakes to respect the criteria referred to in Article 42(5) pursuant to 
Article 43(2)(b); 
4. has demonstrable, relevant and appropriate knowledge about and 


experience in applying data protection legislation in the context of the 
subject matter of the certification; 

5. has demonstrable, relevant and appropriate knowledge about and 
experience in technical and organisational data protection measures as 
relevant in relation to the subject matter of the certification. 

6. is able to demonstrate experience in the fields mentioned in these 
additional reguirements, specifically: 


For personnel with technical expertise: 


e Have obtained a qualification in a relevant area of technical expertise to 
at least EQF3 level 6 or a recognised protected title in the relevant 
regulated profession. 

e Personnel responsible for certification decisions are required to have at 
least two years professional and comprehensive experience and expertise 
in data protection measures related to certification. 

e Personnel responsible for evaluations are required to have at least two 
years professional experience in technical data protection and 
knowledge, specialist expertise and professional experience in technical 
procedures (e.g. audits and certifications). 

e Personnel shall demonstrate they maintain domain specific knowledge in 
technical and audit skills through continuous professional development. 


For personnel with legal expertise: 


e Legal studies at an EU or state-recognised university for at least eight 
semesters including the academic degree Master (LL.M.) or equivalent. 

e Personnel responsible for certification decisions are required to have at 
least two years professional and comprehensive experience and expertise 
in certification measures related to data protection law. 

e Personnel responsible for evaluations are required to have at least two 
years of professional experience in data protection law and knowledge, 
specialist expertise and professional experience in technical procedures 
(e.g. audits and certifications) 

e Personnel shall demonstrate they maintain domain specific knowledge in 
technical and audit skills through continuous professional development. 


If evaluation activities are outsourced to external bodies, those bodies shall be 
subject to the same conditions as the certification body. In particular, these data 
protection-specific requirements have to be observed by the subcontracted 
body. 


6.2 Resources for evaluation 
Requirements of ISO 17065 shall apply. 


7 PROCESS REQUIREMENTS 


7.1 General 
The accreditation body shall in addition to the reguirement in section 7.1 
ISO17065 be reguired to ensure the following: 


1. certification bodies comply with the additional reguirements of the DPC 
(pursuant to Article 43(1)(b)) when submitting the application in order that 


3 See gualification framework comparison tool at https://ec.europa.eu/ploteus/en/compare? 
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tasks and obligations do not lead to a conflict of interests pursuant to 
Article 43(2)(e); 

2. the DPC is notified pursuant to Article 43(1), before a certification body 
starts operating an approved European Data Protection Seal in a new 
Member State from a satellite office. 

3: certification bodies have procedures in place to notify the DPC 
immediately prior to issuing/renewing/withdrawing certifications and 
provide the reasons for taking such actions. This includes providing the 
DPC with a copy of the executive summary of the evaluation report 
referenced in section 7.8 of this document. 

4. the certification body is required to carry out an investigation where the 
client or the DPC notifies them of any significant and relevant 
investigation or regulatory action by the DPC in relation to the scope and 
subject matter of the client’s certification and target of evaluation that 
brings into question the client’s data protection compliance. The 
certification body will undertake the appropriate investigation and 
provide the DPC with a report, advising of the outcome and whether the 
client still conforms to the certification criteria 


7.2 Application 
In addition to item 7.2 of ISO 17065 the accreditation body shall ensure that the 
certification body shall require that: 


1. the target of evaluation must be described in detail in the application. 
This also includes interfaces and transfers to other systems and 
organisations, protocols and other assurances; 


2. the application shall specify whether processors are used, and, when a 
processor is the applicant, that their responsibilities and tasks shall be 
described, and the application shall contain the relevant 
controller/processor and/or joint controller contract(s). 


3: discloses any current or recent DPC investigation or regulatory action to 
which the applicant is subject. 


The certification body shall be required to inform the DPC about all applications 
received at the application stage. 


7.3 Application Review 

In addition to the requirements of ISO 1 7065, the accreditation body shall 
require that the competence and capability referred to in 7.3.1 (e) of ISO 17065 
takes account, as per section 6 above, of both technical and legal expertise in 
data protection to an appropriate extent. 


The application review shall take into account the data protection compliance 
checks referred to in 7.2(3) of this document. The certification body will be 
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required to satisfy themselves that the applicant is а fit candidate for data 
protection certification. 


74 Evaluation 

In addition to the requirements of ISO 17065 the certification mechanisms shall 
describe sufficient evaluation methods for assessing the compliance of the 
processing operation(s) with the certification criteria, including for example 
where applicable: 


1. a method for assessing the necessity and proportionality of processing 
operations in relation to their purpose and the data subjects concerned; 
2. a method for evaluating the coverage, composition and assessment of all 


risks considered by controller and processor with regard to the legal 
сопзедиепсез pursuant to Articles 30, 32 and 35 and 36 GDPR, and with 
regard to the definition of technical and organisational measures 
pursuant to Articles 24, 25 and 32 GDPR, insofar as the aforementioned 
Articles apply to the target of evaluation, and 

3: a method for assessing the remedies, including guarantees, safeguards 
and procedures to ensure the protection of personal data in the context 
of the processing to be attributed to the target of evaluation and to 
demonstrate that the legal requirements as set out in the criteria are met; 
and 

4. documentation of methods and findings. 


The certification body shall be required to ensure that these evaluation methods 
are standardised and applied consistently. This means that comparable 
evaluation methods are used for comparable target of evaluations. Any deviation 
from this procedure shall need to be justified by the certification body. 


In addition to item 7.4.2 of ISO 17065, the evaluation may be carried out by sub- 
contractors who have been recognised by the certification body, using the same 
personnel requirements in section 6. 


In addition to item 7.4.5 of ISO17065, it shall be provided that existing 
certification, which relates to the same target of evaluation, may be taken into 
account as part of a new evaluation. However, the certificate itself will not be 
sufficient evidence and the certification body shall be obliged to check the 
compliance with the criteria in respect of the target of evaluation. The complete 
evaluation report or information enabling an evaluation of the previous 
certification scheme and its results shall be considered. In cases where existing 
certification is taken into account as part of a new evaluation, the scope of said 
certification should also be assessed in detail in respect of its compliance with 
the relevant certification criteria. 


The certification body shall be able to access all necessary 
information/documentation in order to be able to take an informed decision. 
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In addition to item 7.4.6 of ISO 17065, it shall be required that the certification 
body shall set out in detail in the certification scheme how the information 
required in item 7.4.6 informs the applicant about non conformities from a 
certification mechanism. This will include at a minimum the nature and timing of 
such information. This is applicable to all certification bodies. 


In addition to item 7.4.9 of ISO 17065, it shall be required that the evaluation 
documentation be made fully accessible to the DPC upon request. 


75 Кемеуу 

In addition to Кет 7.5 of ISO17065 procedures for the granting, regular review 
and revocation of the respective certifications pursuant to Article 43(2) and 43(3) 
are required. 


7.6 Certification decision 

In addition to point 7.6.1 of ISO 17065, the certification body shall be required to 
set out in detail in its procedures how its independence and responsibilities with 
regard to individual certification decisions are ensured. 


In addition to the requirements of ISO 17065, immediately prior to issuing or 
renewing certification, the certification body shall be required to submit the draft 
approval, including the executive summary of the evaluation report to the DPC. 
The executive summary will clearly describe how the criteria are met thus 
providing the reasons for granting or maintaining the certification. 


In addition to the check carried out at the application stage, prior to issuing 
certification, the certification body shall be required to confirm with the applicant 
that they are not the subject of any DPC investigation or regulatory action in 
relation to the target of evaluation, which might prevent certification being 
issued. 


The DPC will confirm where appropriate that this is the case prior to the 
certification body issuing or renewing certification. If it is discovered that the 
applicant has not disclosed such action to the certification body, this may result 
in the certification not being issued. 


7.7 Certification documentation 

In addition to item 7.7.1(e) of ISO 17065 and in accordance with Article 42(7) 
GDPR, it shall be required that the period of validity of certifications shall not 
exceed three years. 


In addition to item 7.7.1(e) of ISO 17065, it shall be required that the period of 


the intended monitoring within the meaning of section 7.9 will also be 
documented. 
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In addition to Кет 7.7.1(f) of ISO 17065, the certification body shall be required 
to name the target of evaluation in the certification documentation (stating the 
version status or similar characteristics, if applicable). 


On issuing the certificate, the certification body shall be required to provide the 
DPC with a copy of the certification documentation referred to in 7.7.1 of ISO 
17065. 


7.8 Directory of certified products 

In addition to requirements of 7.8 of ISO 17065, the certification body shall make 
publicly accessible a record of the certifications issued and on which basis, 
including information about the certification mechanism and how long the 
certifications are valid for. 


The certification body will provide to the public an executive summary of the 
evaluation report. The aim of this executive summary is to help with 
transparency around what has been certified and how it was assessed. It will 
explain such things as: 


(a) the scope of the certification and a meaningful description of the target of 
evaluation, 

(b) the respective certification criteria (including version or functional status), 
(c) the evaluation methods and tests conducted and 

(d) the result(s). 


7.9 Surveillance 

In addition to points 7.9.1, 7.9.2 and 7.9.3 of ISO 17065, and according to Article 
43(2)(c) GDPR, it shall be required that regular monitoring measures are 
obligatory to maintain certification during the monitoring period. Such measures 
should be risk based and proportionate and the maximum period between 
surveillance activities should not exceed 12 months. 


7.10 Changes affecting certification 
In addition to points 7.10.1 and 7.10.2 of ISO 17065, changes affecting 
certification to be considered by the certification body shall include: 


° any personal data breach of GDPR or the 2018 Act reported by the 
client or the DPC in relation to the subject matter of certification; 

. any infringement of СОРК ог the 2018 Act reported Бу the client ог the 
DPC in relation to the subject matter of certification; 

. developments in the state of the art of technology employed in the 
subject matter of certification; 

° amendments to data protection legislation; 

. the adoption of delegated acts of the European Commission in 


accordance with Articles 43(8) and 43(9); 
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° relevant publications adopted by the European Data Protection Board 
pursuant to Article 39 of the Rules and Procedure of the Board, 
including decisions, guidance and opinions; 

° and court decisions related to data protection. 


The change procedures to be agreed here could include such things as: 
transition periods, approvals process with the DPC, reassessment of the relevant 
target of evaluation and appropriate measures to revoke the certification if the 
certified processing operation is no longer in compliance with the updated 
criteria. 


7.11 Termination, reduction, suspension or withdrawal of certification 

In addition to point 7.11.1 of ISO 17065 and 7.1(3) of this document, the 
certification body shall be required to inform the DPC immediately in writing 
about measures taken and about continuation, restrictions, suspension and 
withdrawal of certification. 


According to Article 58(2)(h), the certification body shall be required to accept 
decisions and orders from the DPC to withdraw or not to issue certification to a 
customer (applicant) if the requirement for certification are not or no longer met. 


7.12 Records 
In addition to point 7.12 of ISO 17065 the certification body is required to keep 
all documentation complete, comprehensible, up- to-date and fit to audit. 


7.13 Complaints and appeals, Article 43(2)(d) 

In addition to item 7.13.1 of ISO 17065, the certification body shall define, 
(a) who can file complaints or objections, 

(b) who processes them on the part of the certification body, 

(с) which verifications take place in this context; and 

(d) the possibilities for consultation of interested parties. 


In addition to item 7.13.2 of 15017065, the certification body shall define, 
(a) how and to whom such confirmation must be given, 

(b) the time limits for this; and 

(c) which processes are to be initiated afterwards. 


Certification bodies shall be required to make their complaints handling 
procedures publicly available and easily accessible to data subjects. 


The certification body shall be required to inform complainants of the progress 
and the outcome of the complaint within a reasonable period. 


In addition to item 7.13.1 of ISO 17065, the certification body must define how 
separation between certification activities and the handling of appeals and 
complaints is ensured. 
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8 МАМАСЕМЕМТ SYSTEM REOUIREMENTS 


In addition to the reguirements of ISO 170656, management principles and their 
documented implementation must be transparent and be disclosed by the 
accredited certification body pursuant in the accreditation procedure pursuant 
to Article 58 and thereafter at the request of the DPC at any time during an 
investigation in the form of data protection reviews pursuant to Art. 58(1)(b) or a 
review of the certifications issued in accordance with Article 42(7) pursuant to 
Article 58(1)(c). 


The procedures in the event of suspension or withdrawal of the accreditation 
shall be integrated into the management system of the certification body, 
including notification to their clients and applicants. 


A complaints handling process with the necessary levels of independence shall 
be established by the certification body as an integral part of the management 
system, which shall in particular implement the requirements of points 4.1.2.2(c), 
4.1.2.2(j), 4.6(d) and 7.13 of ISO 17065. 


8.1 General management system requirements 
Requirements of ISO 17065 shall apply 


8.2 Management system documentation 
Requirements of ISO 17065 shall apply 


83 Control of documents 
Requirements of ISO 17065 shall apply 


8.4 Control of records 
Reguirements of ISO 17065 shall apply 


8.5 Management Review 
Reguirements of ISO 17065 shall apply 


8.6 Internal audits 
Requirements of ISO 17065 shall apply 


8.7 Corrective actions 
Requirements of ISO 17065 shall apply 


8.8 Preventive actions 
Requirements of ISO 17065 shall apply 
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9 FURTHER ADDITIONAL REQUIREMENTS 


9.1 Updating of evaluation methods 

The certification body shall establish procedures to guide the updating of 
evaluation methods for application in the context of the evaluation under point 
7.4. of this document. The update must take place in the course of changes in 
the legal framework, the relevant risk(s), the state of the art and the 
implementation costs of technical and organisational measures. 


9.2 Maintaining expertise 

Certification bodies shall establish procedures to ensure the training of their 
employees with a view to updating their skills, taking into account the 
developments listed in point 9.1.of this document. 


9.3 Responsibilities and competencies 


9.3.1 Communication between Certification Body апа its customers 
Procedures shall be in place for implementing appropriate procedures and 
communication structures between the certification body and its customer. This 
shall include: 


1. Maintaining documentation of tasks and responsibilities by the accredited 
certification body, for the purpose of 

a. responding to information requests; or 

b. to enable contact in the event of a complaint about a certification. 


2. Maintaining an application process for the purpose of 


a. Information on the status of an application; 
b. Evaluations by the DPC with respect to 
i. Feedback; 


ii. Decisions by the DPC. 


9.3.2 Documentation of evaluation activities 

Systems shall be in place for implementing appropriate procedures and 
communication structures between the certification body and the DPC. This shall 
include a reporting framework to inform the DPC: 

e of details of applicant on receipt of application to enable the DPC to check 
its records for the applicant’s compliance history as per section 7.6 of this 
document; 

e of the reasons for granting/withdrawing certification pursuant to Article 
43.5, immediately prior to issuing, renewing, suspending or withdrawing 
certifications as per section 7.1(3) of this document 
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